Infrastructure

Visit willfarrell/terraform-aws-template for the latest improvements and most up to date documentation.

Accounts

Name	Account ID	Colour	Root Email
master		------
production		Red
staging		Orange
testing		Yellow
development		Green
operations		Blue
forensics		Purple

Project Structure

${project}-infrastructure
|-- package.json	# Script shortcuts (lint, install, deploy, test) & versioning?
|-- amis            # Collection of AMIs, built by Packer
|   |-- {name}      # AMI folders, ie bastion, ecs, nat or custom ones
|-- master			# Setup for root level account
|   |-- state		# Sets up state management for terraform
|   |-- account     # Account setup (Groups, Monitoring)
|   |-- operations	# Setup for operation pieces
|-- environments
|   |-- account     # Account setup (Roles, Monitoring)
|   |-- domain		# Domain specific VPC, App, API, ECS, etc. Rename folder to `name`.
|-- modules			# Collection of project specific modules

Getting Started

For up to date documentation and modules see terraform-aws-template.

Installing CLIs

$ brew install terraform

# Optional, for building AMIs
$ brew install packer

Setup Terraform Workspaces

To create the workspaces, go to the respective subfolder (/environments/*/), and run:

$ terraform init
$ terraform workspace new production
$ terraform workspace new staging
$ terraform workspace new testing
$ terraform workspace new development

Ensure you have the right workspace selected before you apply.

$ terraform workspace select development
$ terraform workspace list

Setup Multi-Accounts

See [docs](./docs/Multi Account Setup.md) for detailed steps.

Build AMIs

To create the AMIs, go to the respective subfolder (/amis/*/), edit the variables.json, and run:

$ packer build -var-file=variables.json ami.json

See docs for configuration and full documentation.

Install node dependencies

$ npm run install:npm

Switch Roles

OrganizationAccountAccessRole: Admin Access

It is recommended that the account/roles module be forks to customized to specific needs

Manual Steps

Deployment Steps

Build an AMIs that will be needed

packer build -var-file=variables.json ami.json

master/state
master/account
- Users (Manual)
- Macie (Manual)
- Sub-Accounts / Organization
- Groups for sub account access
- Roles for sub accounts (bastion, ECR)
- AMI permissions
- CloudTrail
- GuardDuty
- Security Hub
Switch Roles into each sub-account using OrganizationAccountAccessRole. Create a terraform user to bootstrap assume roles. Be sure to delete the user after you bootstrap
Setup terraform workspaces Run the following in each environments folder

terraform workspace new production
terraform workspace new staging
terraform workspace new testing
terraform workspace new development
terraform workspace select ${sub_account_name}

environment/account
- Roles (admin, developer, operator, audit, etc)
- API Gateway Logs
- CloudTrail
- GuardDuty
- Inspector Agent
- Macie (Manual)
At this point you'll need to update your AWS credentials. Update ~/.aws/credentials:

[${profile}-${sub_account_name}]
source_profile = ${profile}
role_arn = arn:aws:iam::${sub_account_id}:role/admin
session_name = ${profile}-${sub_account_name}

environment/domain
- VPC
- VPC Endpoints (S3, DynamoDB)
- Bastion
- RDS (postgres,mysql)
- ElasticCache (redis)
- ElasticSearch
- DynamoDB
- ALB + ECS
- NLB + ECS
- ECS
- API Gateway
- Events, SQS, SNS, Lambda, S3,
- CloudFront
- S3
- CloudWatch Dashboards

Built With

Modules

Contributing

See Developer Guide (TODO add link)

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

Authors

will Farrell

See also the list of contributors who participated in this project.

License

This project is licensed under the MIT License - see the LICENSE file for details

willfarrell/terraform-aws-template